Access control list (ACL)

The types of vault access are:
  • Owner
  • Read/write
  • Read
  • No access

These access types map to either the Read-and-List or List-Only ACL. The ACL is a sub-resource that is attached to every bucket and object. It grants users to read, write, or full-control permissions. The following table shows the common ACL behavior except for one explicitly mentioned that is not S3-compliant.

Table 1. Vault ACLs
Permissions ACL
Read Allow grantee to list object in the bucket.
Note: The system's Object Access property determines the behavior of the READ ACL. It can be configured with one of the following:
  • Grant list access to the container or vault (S3 compliant behavior).
  • Grant list access or read-and-list access to all objects in the container or vault.
See also: Configuring system properties and Configuring system properties
Write (Read/Write) Allow grantee to create, overwrite, and delete any object in the bucket.
Read_ACP Not supported. The default is full_control, implied by the bucket "owner" permission.
Write_ACP Not supported. Default is full_control.
Full_control (owner) Allows grantee read, write, read_ACP, and write_ACP permissions on the bucket.

A System Administrator can grant a user individual object READ permission using the Cloud Storage Object API's PUT Object ACL operation.

In Vault Mode, a vault cannot be granted to any grantee with "Owner" permission. A system administrator can also configure whether the end user can use storage APIs (for example: SOH and S3) to create new vaults or delete existing vaults using the Provisioning API defined in the Manager REST API Development Guide.